diff options
| author | clement <clement@FreeBSD.org> | 2006-01-15 00:03:43 +0800 |
|---|---|---|
| committer | clement <clement@FreeBSD.org> | 2006-01-15 00:03:43 +0800 |
| commit | 97d46c6e0c796d7c19d1fc581eb87c32bc3dc3fc (patch) | |
| tree | bee04b664a7a6b228daa815b2cf974f2f22b4eee /www | |
| parent | 605ca31d67b79ab83a763d41eac785447fc176d8 (diff) | |
| download | freebsd-ports-gnome-97d46c6e0c796d7c19d1fc581eb87c32bc3dc3fc.tar.gz freebsd-ports-gnome-97d46c6e0c796d7c19d1fc581eb87c32bc3dc3fc.tar.zst freebsd-ports-gnome-97d46c6e0c796d7c19d1fc581eb87c32bc3dc3fc.zip | |
- SECURITY: CVE-2005-3357 (cve.mitre.org)
mod_ssl: Fix a possible crash during access control checks if a
non-SSL request is processed for an SSL vhost (such as the
"HTTP request received on SSL port" error message when an 400
ErrorDocument is configured, or if using "SSLEngine optional").
[1]
- reintroduce support of multiple instances of apache in startup
script [2]
- Add configtest command to apache22.sh [2]
- rewrite detection of accf_http filter to make it works on all
supported branches.
- fix rcorder [3]
- fix startup at boot time when profiles are used [4]
Spotted by: simon [1], flz[3]
Submitted by: Jarrod Sayers <jarrod@netleader.com.au> [2],
Joe Horn <joehorn@mi.chu.edu.tw> [4]
PR: ports/91154 [2], ports/90708 [4]
Diffstat (limited to 'www')
| -rw-r--r-- | www/apache22/Makefile | 2 | ||||
| -rw-r--r-- | www/apache22/files/apache.sh | 93 | ||||
| -rw-r--r-- | www/apache22/files/patch-secfix-CAN-2005-3357 | 21 |
3 files changed, 103 insertions, 13 deletions
diff --git a/www/apache22/Makefile b/www/apache22/Makefile index 5ea3b946fd10..fe906847c251 100644 --- a/www/apache22/Makefile +++ b/www/apache22/Makefile @@ -9,7 +9,7 @@ PORTNAME= apache PORTVERSION= 2.2.0 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \ http://apache.webthing.com/database/:aprmysql diff --git a/www/apache22/files/apache.sh b/www/apache22/files/apache.sh index d6b5b8dca05e..19a7b3b46c55 100644 --- a/www/apache22/files/apache.sh +++ b/www/apache22/files/apache.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# $FreeBSD: /tmp/pcvs/ports/www/apache22/files/Attic/apache.sh,v 1.10 2005-12-13 22:26:57 clement Exp $ +# $FreeBSD: /tmp/pcvs/ports/www/apache22/files/Attic/apache.sh,v 1.11 2006-01-14 16:03:43 clement Exp $ # # PROVIDE: apache22 @@ -12,6 +12,8 @@ # Add the following lines to /etc/rc.conf to enable apache22: # apache22_enable (bool): Set to "NO" by default. # Set it to "YES" to enable apache22 +# apache22_profiles (str): Set to "" by default. +# Define your profiles here. # apache22limits_enable (bool):Set to "NO" by default. # Set it to yes to run `limits $limits_args` # just before apache starts. @@ -33,46 +35,113 @@ reload_precmd="apache22_checkconfig" reload_cmd="apache22_graceful" graceful_cmd="apache22_graceful" gracefulstop_cmd="apache22_gracefulstop" +configtest_cmd="apache22_checkconfig" command="%%PREFIX%%/sbin/httpd" -pidfile="/var/run/httpd.pid" +_pidprefix="/var/run/httpd" +pidfile="${_pidprefix}.pid" required_files=%%PREFIX%%/etc/apache22/httpd.conf [ -z "$apache22_enable" ] && apache22_enable="NO" +[ -z "$apache22_profiles" ] && apache22_profiles="" [ -z "$apache22_flags" ] && apache22_flags="" [ -z "$apache22limits_enable" ] && apache22limits_enable="NO" [ -z "$apache22limits_args" ] && apache22limits_args="-e -C daemon" [ -z "$apache22_http_accept_enable" ] && apache22_http_accept_enable="NO" +apache22_accf() { + if checkyesno apache22_http_accept_enable + then + /sbin/kldstat | grep accf_http 2>&1 > /dev/null + retcode=${?} + if [ ${retcode} -ne 0 ] + then + /sbin/kldload accf_http 2> /dev/null + retcode=${?} + fi + else + apache22_flags="${apache22_flags} -DNOHTTPACCEPT" + fi + [ ${retcode} -ne 0 ] && echo "Unable to load accf_http module" + return ${retcode} +} + load_rc_config $name -if checkyesno apache22_http_accept_enable -then - if ! /sbin/kldstat -q -m accf_http - then - /sbin/kldload accf_http +if [ -n "$2" ]; then + profile="$2" + if [ "x${apache22_profiles}" != "x" ]; then + pidfile="${_pidprefix}.${profile}.pid" + eval apache22_configfile="\${apache22_${profile}_configfile:-}" + if [ "x${apache22_configfile}" = "x" ]; then + echo "You must define a configuration file (apache22_${profile}_configfile)" + exit 1 + fi + required_files="${apache22_configfile}" + eval apache22_enable="\${apache22_${profile}_enable:-${apache22_enable}}" + eval apache22_flags="\${apache22_${profile}_flags:-${apache22_flags}}" + eval apache22_http_accept_enable="\${apache22_${profile}_http_accept_enable:-${apache22_http_accept_enable}}" + eval apache22limits_enable="\${apache22limits_${profile}_enable:-${apache22limits_enable}}" + eval apache22limits_args="\${apache22limits_${profile}_args:-${apache22limits_args}}" + apache22_flags="-f ${apache22_configfile} -c \"PidFile ${pidfile}\" ${apache22_flags}" + else + echo "$0: extra argument ignored" fi else - apache22_flags="-DNOHTTPACCEPT $apache22_flags" + if [ "x${apache22_profiles}" != "x" -a "x$1" != "x" ]; then + if [ "x$1" != "xrestart" ]; then + for profile in ${apache22_profiles}; do + echo "===> apache22 profile: ${profile}" + %%PREFIX%%/etc/rc.d/apache22.sh $1 ${profile} + retcode="$?" + if [ "0${retcode}" -ne 0 ]; then + failed="${profile} (${retcode}) ${failed:-}" + else + success="${profile} ${success:-}" + fi + done + exit 0 + else + restart_precmd="" + fi + fi fi +if [ "${1}" != "stop" ] ; then \ + apache22_accf || apache22_flags="${apache22_flags} -DNOHTTPACCEPT" +fi + +apache22_requirepidfile() +{ + if [ ! "0`check_pidfile ${pidfile} ${command}`" -gt 1 ]; then + echo "${name} not running? (check $pidfile)." + exit 1 + fi +} + apache22_checkconfig() { echo "Performing sanity check on apache22 configuration:" - ${command} ${apache22_flags} -t + eval ${command} ${apache22_flags} -t } apache22_graceful() { + apache22_requirepidfile + echo "Performing a graceful restart" - ${command} -k graceful + eval ${command} ${apache22_flags} -k graceful } apache22_gracefulstop() { + apache22_requirepidfile + echo "Performing a graceful stop" - ${command} -k graceful-stop + eval ${command} ${apache22_flags} -k graceful-stop } apache22_precmd() { + apache22_checkconfig + if test -f %%PREFIX%%/sbin/envvars then . %%PREFIX%%/sbin/envvars @@ -87,5 +156,5 @@ apache22_precmd() } -extra_commands="reload graceful gracefulstop" +extra_commands="reload graceful gracefulstop configtest" run_rc_command "$1" diff --git a/www/apache22/files/patch-secfix-CAN-2005-3357 b/www/apache22/files/patch-secfix-CAN-2005-3357 new file mode 100644 index 000000000000..0a46eb11db32 --- /dev/null +++ b/www/apache22/files/patch-secfix-CAN-2005-3357 @@ -0,0 +1,21 @@ +--- modules/ssl/ssl_engine_kernel.c 2005/11/10 15:20:05 332309 ++++ modules/ssl/ssl_engine_kernel.c 2006/01/13 14:21:42 368730 +@@ -202,11 +202,14 @@ + } + + /* +- * Check to see if SSL protocol is on ++ * Check to see whether SSL is in use; if it's not, then no ++ * further access control checks are relevant. (the test for ++ * sc->enabled is probably strictly unnecessary) + */ +- if (!((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL) || ssl)) { ++ if (sc->enabled == SSL_ENABLED_FALSE || !ssl) { + return DECLINED; + } ++ + /* + * Support for per-directory reconfigured SSL connection parameters. + * + + |